Splunk Enterprise Security

subsearch join

jacqu3sy
Path Finder

Anything wrong with this join and subsearch? I know there are events which should match based on the 'cs_host' field. Not sure if the rename is confusing things, or my syntax is off slightly.

index=aaa sourcetype=o365 "*phish URLs*"  
| rename zu as cs_host
| join type=inner cs_host [ | search index=bbb sourcetype="proxy_logs" | fields *] | stats count by cs_host

Appreciate any ideas.

0 Karma
1 Solution

mydog8it
Builder

Your syntax looks good to me. However remember the results are subject to limits.conf.spec:
from https://docs.splunk.com/Documentation/SplunkCloud/8.0.2001/SearchReference/Join :
Limitations on the subsearch for the join command are specified in the limits.conf.spec file. The limitations include the maximum subsearch to join against, the maximum search time for the subsearch, and the maximum time to wait for subsearch to fully finish. See Subsearches in the Search Manual.

So, if the matching results you are expecting are outside of the limits, they will not be returned.

Just as a suggestion, based on your search, I think this would give you the same results without the expense of a subsearch:

(index=aaa sourcetype=o365 "*phish URLs*" ) OR (index=bbb sourcetype="proxy_logs" | fields cs_host) |where zu=cs_host | stats count by cs_host

View solution in original post

0 Karma

wmyersas
Builder

It's legal - but seems to be pointless

You're doing a | join, ostensibly to get more fields, and then immediately throw them all away with a | stats count by

mydog8it
Builder

Your syntax looks good to me. However remember the results are subject to limits.conf.spec:
from https://docs.splunk.com/Documentation/SplunkCloud/8.0.2001/SearchReference/Join :
Limitations on the subsearch for the join command are specified in the limits.conf.spec file. The limitations include the maximum subsearch to join against, the maximum search time for the subsearch, and the maximum time to wait for subsearch to fully finish. See Subsearches in the Search Manual.

So, if the matching results you are expecting are outside of the limits, they will not be returned.

Just as a suggestion, based on your search, I think this would give you the same results without the expense of a subsearch:

(index=aaa sourcetype=o365 "*phish URLs*" ) OR (index=bbb sourcetype="proxy_logs" | fields cs_host) |where zu=cs_host | stats count by cs_host
0 Karma

jacqu3sy
Path Finder

Good spot. Sub search limitations. Its caught me out before and will do again I'm sure! If I switch the query around it works fine. Many thanks.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...